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Abstract 

A non-local box is an abstract device into which Alice and Bob input bits x and y respectively and receive outputs 
a and b respectively, where a, b are uniformly distributed and a(Bb = xAy. Such boxes have been central to the study 
of quantum or generalized non-locality, as well as the simulation of non-signaling distributions. In this paper, we start 
by studying how many non-local boxes Alice and Bob need in order to compute a Boolean function /. We provide 
tight upper and lower bounds in terms of the communication complexity of the function both in the deterministic and 
randomized case. We show that non-local box complexity has interesting applications to classical cryptography, in 
particular to secure function evaluation, and study the question posed by Beimel and Malkin |BM04| of how many 
Oblivious Transfer calls Alice and Bob need in order to securely compute a function /. We show that this question 
is related to the non-local box complexity of the function and conclude by greatly improving their bounds. Finally, 
another consequence of our results is that traceless two-outcome measurements on maximally entangled states can be 
simulated with 3 non-local boxes, while no finite bound was previously known. 

1 Introduction 

Communication complexity. Communication complexity is a central model of computation, which was first defined 
by Yao in 1979 0Yao79l . It has found applications in many areas of theoretical computer science including Boolean 
circuit complexity, time-space tradeoffs, data structures, automata, formula size, etc. In this model Alice and Bob 
receive inputs x and y respectively and are allowed to communicate in order to compute a function f{x, y). The goal 
is to find the minimum amount of communication needed for this task. In different variants of the model, we allow 
Alice and Bob to err with some probability, and to share common resources in an attempt to enable them to solve their 
task more efficiently. 

One such resource is shared randomness. When Alice and Bob are not allowed any errors, shared randomness 
does not reduce the communication complexity. On the other hand, when they are allowed to err, a common random 
string can reduce the amount of communication needed. However, Newman's result tells us that shared randomness 
can be replaced by private randomness at an additional cost logarithmic in the input size llNew91L 

Another very powerful shared resource is entanglement. Using teleportation, Alice and Bob can transmit quantum 
messages by using their entanglement and only classical communication. This model has been proven to be very 
powerful, in some cases exponentially more efficient than the classical one. Another way to understand the power of 
entanglement is by looking at the CHSH game IICHSH69I . where Alice and Bob receive uniformly random bits x and 
y respectively and their goal is to output bits a and h resp. such that a b ^ x A y without communicating. It is easy 
to conclude that even if Alice and Bob share randomness, their optimal strategy will be successful with probability 
0.75 over the inputs. However, if they share entanglement, then there is a strategy that succeeds with probability 
approximately 0.85. This game proves that quantum entanglement can enable two parties to create correlations that 
are impossible to create with classical means. 

Even though the setting of the previous game is not exactly the same as the model of communication complexity, 
we can easily transform one to the other. From now on, in our communication complexity model, instead of requiring 
Bob to output the value of the function f{x, y), we require Alice and Bob to output two bits a and b respectively, such 
that a (B b = f{x, y). We call this "computing / in parity". It is easy to see that the two models are equivalent up to 
one bit of communication. 
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Non-local boxes. As we said, entanglement enables Alice and Bob to succeed in the CHSH game with probability 
0.85. But what if they shared some resource that would enable them to win the game with probability 1? Starting 
from such considerations, Popescu and Rohrlich |PR94| defined the notion of a non-local box. A non-local box is an 
abstract device shared by Alice and Bob. By one use of a non-local box, we mean that Alice inputs x, Bob inputs y, 
Alice gets an output a and Bob gets b where a, b are uniformly distributed and more importantly a®b = x Ay. The 
name non-local box is due to the property that one use of a non-local box creates correlations between two bits that are 
maximally non-local (allowing to win the CHSH game with probability one), but still does not allow to communicate, 
since taken separately, each bit is just an unbiased random coin. As such, a non-local box may be considered as a 
unit of non-locality. We note here an important property of a non-local box, namely that, similar to entanglement, one 
player can enter an input and receive an output even before the second player has entered an input. 

The importance of the notion of a non-local box has become increasingly evident in the last years. Non-local 
boxes were first introduced to study (quantum or generalized) non-locality. In particular, it was shown than one of the 
most studied versions of the EPR experiment, where Alice and Bob perform projective measurements on a maximally 
entangled qubit pair, may be simulated using only one use of a non-local box IICGMP05I . More generally, it was 
shown that any non-signaling distribution over Boolean outputs may be exactly simulated with some finite number 
of non-local boxes (for finite input size) IIBP05llJM05l . This was later generalized to any non-signaling distribution, 
except that the simulation may not always be performed exactly for non-Boolean outputs PFWOS]. These results rely 
on the fact that the set of non-signaling distributions is a polytope, so it suffices to simulate the extremal vertices to 
be able simulate the whole set. In the context of non-locality, another application of non-local boxes is the study of 
pseudo-telepathy games IBM05I . 

It is easy to see that one use of a non-local box can be simulated with one bit of communication and shared 
randomness: Alice outputs a uniform bit r and sends x to Bob, who outputs r ® x ■ y. However, the converse cannot 
possibly hold, since a non-local box cannot be used for communication. 

The first question is what happens if we use non-local boxes as shared resource in the communication complexity 
model. Van Dam showed that for any Boolean function / : {0, l}" x {0, 1}" — ?• {0, 1}, Alice and Bob can use 2" 
non-local boxes and no communication at all and at the end output bits a and b such that a(Bh = f{x, y) [van05|. In 
other words, if non-local boxes were physically implementable, then all functions would have trivial communication 
complexity. His results were strengthened by Brassard et al. who showed that even if a non-ideal non-local box 
existed, one that solves the CHSH game with probability 0.91, then still all functions would have trivial communication 
complexity llBBL+061 . Note that in these results, the number of non-local boxes needed may be exponential in the 
input size and do not take into account any properties of the function and more precisely its communication complexity 
without non-local boxes. It also follows from the work of I BP05||BBL+06 I that for any Boolean function /, if / has a 
circuit with fan-in 2 of size s, then there is a deterministic non-local box protocol of complexity 0(s), where the bits 
of the input of / are split arbitrarily among the players. This implies that exhibiting an explicit function for which the 
deterministic non-local box complexity is superlinear, would translate into a superlinear circuit lower bound for this 
function. This is a notoriously difficult problem, and while a simple counting argument shows that a random function 
requires exponential size circuits, the best lower bound to date for an explicit function is linear IILR01IIIM02I . 

Secure function evaluation. Non-local boxes have also been studied in relation to cryptographic primitives such as 
Oblivious Transfer or Bit Commitment. Wolf and Wullschleger MWW05I showed that Oblivious Transfer is equivalent 
to a timed version of a non-local box (up to a factor of 2). To maintain the non-signaling property of the non-local box, 
one can define timed non-local box as having a predefined time limit, and if any of the players have not entered an 
input by this time, then some fixed input, say 0, is used instead. Subsequently, Buhrman et al. lBCU"'"07l showed how 
to construct Bit Commitment and Oblivious Transfer by using non-local boxes that do not need to be timed but have 
to be trusted. 

In this paper, we are interested in secure function evaluation, which is one of the most fundamental cryptographic 
tasks. In this model, Alice and Bob want to evaluate some function of their inputs in a way that does not leak any more 
information than what follows from the output of the function. It is known that there exists functions that cannot be 
evaluated securely in the information- theoretic setting ( IIBOGW88I ICCD88I |CK9 1 1 |Kus92| ). However, all functions 
can be computed securely in the information theoretic setting if the players have access to a black box that performs 
Oblivious Transfer or some other complete function, e.g. the AND function ( liGV88.iKil88J ). 



2 



There has been a lot of work trying to identify, in various settings, which functions can be easily evaluated in 
a secure way, i.e., without any invocation of the black box, and which are hard to evaluate securely, i.e., require at 
least one invocation of the black box ([CK91 Kus92 BMM99 Kil91 KKMOOO KilOO|). Moreover, Beaver |Bea96| 
showed that there exists a hierarchy of different degrees of hardness for the information-theoretic setting. In other 
words, for all k, there are functions that can be securely evaluated with k invocations of the AND box but cannot be 
computed with fc — 1 uses of the black box. 

Beimel and Malkin | BM04 1 proposed a quantitative approach to secure function evaluation by studying how many 
calls to an Oblivious Transfer or other complete black box one needs in order to securely compute a given function 
/ in the honest-but-curious model. For a Boolean function f : X x y ^ {0,1} and deterministic protocols, they 
provide a combinatorial characterization of the minimal number of AND calls required, which however does not lead 
to an efficient algorithm to determine how many ANDs are actually required. They also show that 21'^' ANDs are 
sufficient for any function. In the randomized case, they provide lower bounds depending on the truth-table of the 
function which can be at most of the order of n. They also state that "it would be very interesting to try and explore 
tighter connections with the communication complexity of the functions". 

Finally, Naor and Nissim UNNOll have given some connections between the communication complexity of a 
function / and the communication complexity for securely computing /. These results, translated into the Beimel- 
MaUcin and our model, only show that the number of ANDs is at most exponential in the communication complexity. 

Summary of results. In this paper, we provide more evidence on the importance of non-local boxes by showing how 
they relate to different models of communication complexity as well as how they can be used as a tool to quantitatively 
study secure function evaluation. 

First, we study how many non-local boxes are needed in order to distributively compute a Boolean function /. 
We define four different variants denoted N L, N L^, N \ N L^^ , where the first two are the deterministic and ran- 
domized non-local box complexity and the latter two are the deterministic and randomized complexity where the 
non-local boxes are only used in parallel. We provide lower and upper bounds for all these models in terms of com- 
munication models and show that in many cases our bounds are tight. 

For the deterministic parallel non-local box complexity, we show that NL^^ (/) is equal to the rank of the function 
/ over GF2. This also implies that it is equivalent to the communication complexity of the function in the following 
model: Alice and Bob send to a referee one message each and the referee outputs the Inner Product of the two vectors 
mod 2. Moreover we show that NL^^ (/) is always greater than the deterministic communication complexity D{f) and 
less than These bounds are optimal as can be seen by looking at the functions of Inner Product and Disjointness. 

In the randomized parallel case, we define a notion of approximate rank over GF2 which is equal to NLe(f), 
under the assumption that the output of the protocol is the XOR of the outcomes of the non-local boxes. The notion of 
approximate rank over R has been used for communication complexity |Bd01 1 and gives upper and lower bounds in 
the randomized model. 

For the deterministic non-local box complexity NL{f), we show that it is at least the communication complexity 
D{f) and, of course, smaller than NL^^{f), which is again a tight bound. In the randomized case, we prove that it 
is bounded above by the communication complexity _RII'^^'^'^(/) in the following model: Alice and Bob send to a 
referee one message each and the referee outputs 1 if for the majority of indices, the two messages are equal. This is 
a natural model of communication complexity that has appeared repeatedly, for example in the simulation of quantum 
protocols by classical ones and in various upper bounds on simultaneous messages [IKNR99I IGro97l ISZ08I iLSOSl . 
This model is also bounded above in terms of 7^°, a quantity which has been used for upper and lower bounds on 
communication complexity [LS08 |. 

In another application of our work, using the recent result of Regev and Toner IIRT07I . we show that traceless 
two-outcome measurements on maximally entangled states can be simulated with 3 non-local boxes. Previously, no 
finite bound was known for this case. In order to do this we need to extend our results from Boolean functions to any 
distribution. 

Then, we look at the consequences of our results in the area of secure function evaluation. The main question 
we study is how many calls to a secure primitive one needs to make in order to securely evaluate a function /. 
Specifically, in the honest-but-curious model, we exactly characterize the number of secure AND boxes we need in 
order to evaluate / by the one-way communication complexity of /. Our proof will be reminiscent of our proofs for 
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the non-local box complexity. In the malicious model, we upper bound the number of Oblivious Transfer boxes needed 
by the non-local box complexity of /, when the non-local boxes are used in order. This implies strong upper bounds 
in terms of the communication complexity as well as 73°. For the lower bounds, we show that the communication 
complexity of / remains a lower bound for optimal protocols that securely evaluate /. 

Our results show that non-local boxes, introduced for the study of quantum correlations or more general non- 
locality, can provide a novel way of looking at questions about classical communication complexity, secure function 
evaluation and complexity theory. 

2 Preliminaries 

2.1 Communication Complexity 

Let / : A* X 3^ — > {0, 1} be a bipartite Boolean function. Alice gets an input x £ X and Bob gets an input y Gy. We 
say that Alice and Bob compute f{x, y) in parity if after executing a protocol, Alice outputs a bit a, and Bob outputs 
a bit b such that a © 6 = /(x, y), where we use © to denote both the logical XOR and addition mod 2. This model 
differs from the standard model, where one of the players outputs the value of the function, by at most 1 bit. 

We use the following notions of communication complexity. In probabilistic models, we assume that the players 
have a common source of randomness. 

• D{f) and Re (/): deterministic and e-bounded error communication complexity of f{x, y) in parity. 

• D^{f) and (/) : one-way deterministic and bounded-error communication complexity of / (x, y ) in parity. 

• DII (/) and deterministic and bounded-error communication complexities in the model of simultaneous 
messages, where AUce and Bob each send a message to the referee and the referee outputs the value of the 
function /(a;, y). 

For the model of simultaneous messages, we also consider some natural restrictions on how the referee computes 
the output from the messages he receives from the players. We assume the messages sent are of the same length. 
Suppose the referee receives bits a = (04, . . . , oj) from Alice, and b = (61, . . . , 64) from Bob. If the referee always 
computes a predefined function g(a, b), then we write or -R|'^(/) to be the length of the message sent by the 

players (not the sum of these lengths, as is done in the standard model). In this paper, we will consider two functions, 
the inner product modulo 2, IP2 (a, b) = 0^ (a^ • bi) (where • denotes the multiplication over GF2, which corresponds 
to the logical AND) and the majority function, MAJ(a, b) = MAJ{ai © 61, . . . , a* © bt). 

2.2 Non-local box Complexity 

Definition 1 (Non-local box). A non-local box is a device shared by two parties, which on one side takes Boolean 
input X and immediately produces Boolean output a, and on the other side takes Boolean input y and immediately 

produces Boolean output b, according to the following distribution: pjvl(o, b\x, y) = 

Let us stress the importance of timing in this definition. Indeed, Alice should receive her output a from the box 
as soon as she has entered her input x, no matter if Bob has already entered his input or not (and vice-versa). This 
is possible because the input-output distribution is non-signaling, that is, the marginal distribution of Alice's input a 
does not depend on Bob's input y, since p{a\x, y) — 1/2 for any a, x, y. In other words, from Alice's point of view, 
a is just an unbiased random bit. The reason for this definition is to mimic an EPR experiment, where Alice obtains 
her measurement outcome as soon as she performs her measurement, independently of whether Bob has performed 
his measurement or not. 

We study a model akin to communication complexity, where Alice and Bob use non-local boxes instead of com- 
munication. In a non-Iocal box protocol, Alice and Bob wish to compute some function / : A:" x 3^ ^ {0, 1}. Alice 
gets an input x E X, Bob gets an input y G y, and they have to compute /(./;, y) in parity. Recall that it means that at 
the end of the protocol, Alice outputs o e {0, 1} and Bob b G {0, 1}, such that o © 6 = f{x,y). For a protocol P, we 



r 2 '■/(^ ®b = x ■ y 
\ otherwise. 
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will write P{x, y) — (a, b). In the course of the protocol, Alice and Bob are allowed shared randomness and may use 
non-local boxes, but they may not communicate. Bob is not allowed to see Alice's inputs to the non-local boxes, nor 
does he see the outcome on Alice's side, and likewise for Alice. 

Definition 2. For any function f : Xxy — > {0, 1}, NL(f) is the smallest t such that there is a protocol that computes 
f in parity exactly, using t non-local boxes. 

We will label the non-local boxes with labels from 1 to t. (Recall that in general, Alice and Bob are not required 
to use the t non-local boxes in the same order.) We relax the exactness condition and allow the protocol's outcome to 
be incorrect with constant probability e. 

Definition 3. For any function f : X x y ^ {0, 1}, NL^{f) is the smallest t such that there is a protocol P using t 
non-local boxes, with Pr[P(x, y) — (a, b) with a (S b = f(x, J/)] > 1 — s. 

We will also study two variants of the general model, where the non-local boxes are used in a restricted manner. 
First, we assume that the non-local boxes are used in parallel, that is, the input to any non-local box does not depend 
on the outcome of any other. In this model, we denote the complexity A^L" in the exact case, and NL^ in the e error 
case. 

Second, we define the model where both players use the non-local boxes in the same order, that is, the non-local 
boxes are labeled from 1 to t and Alice's input to the non-local box with label i does not depend on the outputs from 
the non-local boxes labeled from i + 1 to ^ (similarly for Bob). Note that in the most general case, Alice and Bob 
may use their t non-local boxes with labels 1 through t in whichever order they want. For example, Alice may use the 
non-local box with label 3 first, then use the output in order to compute the input for the non-local box with label 1, 
while Bob might use the non-local box with label 1 first and so forth. The complexity in this model is denoted NL™'^ 
in the exact case, and NL™''^ in the e error case. It is clear that this model is more powerful than the parallel model but 
less powerful than the general non-local box complexity. In fact, we will only use this last variant when we talk about 
secure function evaluation. Note also that in all these models, the non-local boxes are still non-signaling and Alice 
and Bob receive the outputs of the non-local boxes immediately after they enter their inputs. 

Finally, we consider a restriction where the players always output the same predefined function g of the outputs 
of the non-local boxes. Let (ai, 6i), . . . , (cf , 6t) be the outcomes of the t non-local boxes in some particular run of a 
protocol. Of particular interest are protocols where Alice outputs a = ai © • • • © at and Bob outputs b — bi®- ■ - (Bbt. 
The function g is used in a superscript to denote the complexity of a function / in this model, NL^ in the determinstic 
case, and iVif in the e error case, and in particular, A^lH ® and NL^'^ when the non-local boxes are in parallel and 
5 = ®. 

2.3 Secure Function Evaluation 

We will consider the following cryptographic primitives. 

Definition 4 (Oblivious transfer). A 2-1 Oblivious Transfer ( OT) is a device which on input bits pQ,pi for Alice and q 
for Bob, outputs bit b to Bob, such that b — pq. 

Definition 5 (Secure AND). A secure AND is a device which on input bits p for Alice and qfor Bob, outputs bit a to 
Alice, such that a — p ■ q. 

While at first view, these definitions seem similar to the definition of the non-local box, note that the timing 
properties are different: for the cryptographic primitives, the outputs are produced only after all the inputs have been 
entered into the device. It is precisely this subtlety that has led to confusion when trying to use non-local boxes to 
implement cryptographic primitives, in particular for bit commitment, when timing is particularly important, since a 
cheating Alice could wait until the reveal phase before committing her bit into the non-local box, without Bob ever 
realizing it ||BCU^07| . However, we will see that this is not an issue for our results on secure computation. 

Let / : X X y {0, 1} be a bipartite Boolean function. We study the number of cryptographic primitives 
required to compute /. In all the models we consider, we require perfect privacy. In the honest-but-curious model, 
perfect privacy means that when a player follows the protocol, he should not learn more than required about the other 
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player's input. In the malicious model, this condition must still hold even if the player does not follow the protocol. 
Not more than required means, for models where the function must be computed in parity, that the players should 
learn nothing about the other's input, while for models where one of the player should output the function, it means 
that this player should learn nothing more than what he can infer from his input and the value of the function, while 
the other player should learn nothing. 

Let us note that AND may not be used as a primitive in the mahcious model, so we will consider the OT primitive 
instead. Moreover, in this model, it is known that perfect privacy IIDM99I cannot be achieved without randomness. 
Therefore, in this setting we do not consider the deterministic model. Our bounds in the randomized malicious model 
also hold for the weaker honest-but-curious model. 

• AND{f): number of secure AND gates required to securely compute /(x, y) (not in parity) in the determinis- 
tic, honest-but-curious model. We note that we can allow free two-way communication without in fact changing 
the complexity IIBM04I . 

• OT^{f): number of 2-1 Oblivious Transfer calls required to compute f{x, y) in parity with perfect privacy and 
e error over the players' private coins, assisted with (free) two-way communication, in the malicious model. 

2.4 Complexity Measures 

We will compare non-local box complexity to traditional models of communication complexity and prove upper and 
lower bounds for this new model. Some of these bounds are in terms of the factorization norms of the communication 
matrix [LS08i and related measures. 

Definition 1. Let M be a real matrix. The 72 norm of M is 72(M) = minxTY=M col{X)col{Y), where col{N) is 
the largest Euclidian norm of a column of N. 

It is known that 21og(72(M)) gives a lower bound on deterministic communication complexity of M, where 
M is a sign matrix of the Boolean function to be computed IILS08I . In order to lower bound the bounded error 
communication complexity in the randomized and quantum case, we consider a "smoothed" version of this measure. 

Definition 2. Let M be a sign matrix and a > 1. 72 (-^) = min{72(A'^) : Vz, j l<Mi,jNi,j<a}. In particular, 
^"^{M) is the minimum 72 norm over all matrices N such that 1 < MijNi^j. 

The measures 72 and 7^ give upper and lower bounds for bounded-error communication complexity IILS08I : 

2 log(72" (/)/«) < Reif) and Ri^'^'^'^if) < Oii-f^{f)f) (implicit in llLSOSl ), where a = j^. 

The discrepancy of a sign matrix M over inputs XxY with respect to distribution /i over the inputs is Disc^ ( A/) = 
maxfl^^^ j^-)gjj/x(a;,?/)M(x,y), where i? is taken from all possible rectangles. It is known that 7!° (/) = 0("o7j^;(jy)^ 
and for any a, -i^{f) < ^^f) LLS08|. 

Finally, for a Boolean function, the Li norm is defined as the sum of the absolute values of its Fourier coefficients. 

Definition 3. Let f : {—1, 1}^" — > {—1, 1}, and denote by as the Fourier coefficients of f, that is f{x) = 
I^sc{o,i}"" ^sXs{x) where xs{x) = Iljes^^i. The Li norm of f is defined by Li{f) = J^s \^s\- 

We can think of the 2n bits of input of the function as equally split between Alice and Bob. Grolmusz uses this 
notion to upper bound the randomized communication complexity by proving that Re{f) < (/)) IIGro97l . 

3 Deterministic non-local box complexity 

3.1 Characterization of A^L ® in terms of rank 

We start by studying a restricted model of non-local box complexity, where the non-local boxes are used in parallel 
and at the end of the protocol, Alice and Bob output the parity of the outputs of their non-local boxes respectively. We 
will show that the complexity of / in this model is equal to the rank of the communication matrix of / over GF2. It 
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is known that this rank is equal to the minimum to, such that f{x, y) can be written as f{x, y) = 0^(2;) • bi{y) 

(see also I BdOlll ). 

This restricted variant of non-local box complexity is exactly the one that appears in van Dam's work ||van05l . 
where he shows that any Boolean function / can be computed by such a protocol of complexity 2". Moreover, we 
prove that the restriction that the players output the XOR of the outcomes of the non-local boxes is without loss of 
generality. 

Theorem 1. NL^^'®{f) = rankcF^C^/) = D^^^^^'if). 

Proof. We start by showing that NL^^'®{f) < rank^Fs (Af/)- Let rank^Fa (-^^/) — fi^^v) — ®ie[t]Pii^) ' 

qi{y). Then we construct a protocol that uses t non-local boxes in parallel, where Alice and Bob output the parity 
of the outcomes of the non-local boxes and for every input (x, y) the output of the protocol is equal to f{x, y). The 
inputs of Alice and Bob to the i-th non-local box are the bits Pi{x) and qi{y),i G [t] respectively and let a^, bi the 
outputs of the non-local box such that a; © 6^ = Pi{x) ■ qi{y)- Alice and Bob output at the end of the protocol the 
value (0,;g[t] a,) © (0,g[t] b,) = 0,g[t]K(a;) ■ q^{y) = f{x,y). 

Conversely, if there exists a protocol where Alice and Bob use t non-local boxes in parallel with inputs pi (x) , qi (y) 
and outputs a^, bi, their final output is (0,;g[f] a^) © (0jg[t] bi) and it always equals f{x, y), then we have f{x, y) = 
(0je[t] "-i) ® (®je[t] ^0 = 0je[t]P»(a;) • qt{y) and hence rankcF^CA^/) < ^■ 

From this last argument, we get ZjH'^^^ (■j^ < jVi'l'® (/) since the players can send pi and q,; to the referee who 
computes the inner product. For the converse, if the referee receives uia, ms from each player and computes their 
inner product mod 2, the players can instead input each bit of the message into a non-local box and output the parity 
of the outputs to obtain the same result. □ 

For the next corollary, we use the fact that log(2rankF(M/) - 1) < D{f ) + 1 for any field F (see IIKN97II ). (The 
plus one on the right side of the inequality appears because in our model where the value of the function is distributed 
among the players, the communication complexity can be one bit less than in the standard model.) 

CoroUaryl. iVLll'®(/) < 2^(^). 

On the other hand, it is easy to see that the one-way communication complexity is a lower bound on the non-local box 
complexity. 

Lemma 1. D^{f) < NL{f). 

Proof. For any deterministic non-local box protocol of complexity t, Alice can send her t inputs to the non-local boxes 
to Bob, and since the protocol is always correct, in particular it is correct if both players assume that the output of 
Alice's non-local boxes are 0, Alice can output using this assumption. Bob can then compute his outputs of the 
non-local boxes and complete the simulation of the protocol. This shows that the one-way communication complexity 
is at most t. □ 

Notice that similarly to the traditional model, this implies an upper bound on the simultaneous messages model 
when computing in parity as well since for deterministic communication complexity, Z?" (/) < D~^{f) + D^{f) + 2. 
To see this, it suffices to see that Alice's message plus her output, together with Bob's message plus his output, 
determine a monochromatic rectangle in the communication matrix. 

3.2 Removing the XOR restriction 

In this section we show that both in the general and in the parallel model of deterministic non-local box complexity, 
we can assume without loss of generality that the players output the XOR of the outcomes of the non-local boxes. 

Theorem 2. NL{f) < NL®{f) < NL{f) + 2. 

Proof. Let P any protocol that uses t non-local boxes and at the end Alice outputs A{x, a) and Bob outputs B{y, b), 
where a — (ai, . . . ,at) and b = (61, . . . , 64) are Alice and Bob's non-local box outputs. Instead of outputting these 



7 



values they use another two non-local boxes with inputs {A{x, a) © (0jg[t] Oj), 1), (1, B{y, b) ® (0jg[t] h))- Denote 
by {at+i,bt+i), (at+2, the outputs of the non-local boxes. We have 



at+i e 6t+i = ^(a;, a) e ttj , at+2 6t+2 = b) 6i 
ie[t] ie[t] 



Finally, 



( h) 



(0ai)©(06i)©^(a;,a) 



je[t+2] ie[t+2] 



iG[*] ie[t] 



©B(j/,b)©(0ai)®(06i) 



i6[t] ie[t] 

^(a;,a)©B(?/,b). 



□ 



Unlike the general case, showing that in the parallel case we can assume that the players output the XOR of the 
outputs of the non-local boxes is not a trivial statement. 

Theorems, NL^^if) < NL^^^^if) < NL^^if) + 2. 

We proceed by providing two lemmas before proving our theorem. 

Lemma 2. Let a, b the outcomes of a non-local box and F, G, H arbitrary Boolean coefficients that do not depend on 
a, b. If for all a, (F ■ a) ® {G ■ b) ® H = 0, then F = G. 

Proof Denote by p, q the inputs to the non-local box. By setting a = and a = 1, we have {G ■ p ■ q) (B H = and 
F®G®{G-p-q)®H = 0. This implies F = G. □ 

We now fix some notation. Let / : {0, 1}" x {0, 1}" — > {0, 1} and P a protocol that computes / with zero error 
and uses t non-local boxes in parallel. Let pi (x), qi (y) the inputs to the i-th non-local box and a.i, bi the corresponding 
outputs. We also note a = (ai, . . . , Of) and b = (61, ... , bt). Let A{x, a) = 0sc[f] A-s{x) ■ as and B{y, b) = 
©sc[<] Bs{y) ■ bs the final outputs of Alice and Bob, where As are polynomials in x, Bs polynomials in y, as = 
Yli^s ~ Tlies ^i- Then, from the correctness of the protocol, we have 



We show that, without loss of generality, we may assume that the inputs to the non-local boxes satisfy some linear 
independence condition. 

Deiuiition4. A set of bipartite functions {fi{x,y)\i e T} is linearly independent if ^-^rpCi- fi{x,y) = a{x)®P{y), 
for some Ci € {0, 1} andfunctions a{x),j3{y), implies Ci = O^i € T and a{x) = P{y). 

Lemma 3. Let P be a protocol for f using t non-local boxes in parallel. Then there exists another protocol whose 
output is always equal to the one of P, uses t' < t non-local boxes in parallel and the inputs to the non-local boxes 
are such that the set {pi{x) ■ qi{y)\i & [t']} is linearly independent. 

Proof Suppose that 0jg[t] Q • pi{x) ■ qi{y) = a{x) © /3(y), with Cfe = 1 for some k e Then pk{x) ■ qk{y) = 
a{x) © p{y) © 0i£[t]\{fe} Ci ■ pi{x) ■ qi{y). Since Pk{x) ■ qkiv) = ak® bk, Alice and Bob do not need to use the 
fc-th non-local box when implementing protocol P, it suffices for Alice to set ak = a{x) © 0jg[i]\{fej Ci ■ ai and for 
Bob to set bk = l3{y)(B ®ie[t]\{k} Ci • which implies a new protocol with t — 1 non-local boxes. By repeating this 
procedure, they can build a protocol using t' <t non-local boxes and such that the whole set {p, {x) ■ qi{y)\i G [f] } is 
linearly independent. □ 



V(a;, y, a), f{x, y) = A{x, a) © B{y, b). 



8 



Proof of Theorem\3\ Since by definition iVill(/) < iVLll'®(/), it suffices to show that NL\\-®{f) < NL\\{f) + 2. 
Let NL^\f) — t and let P be a deterministic protocol for /, using t non-local boxes. Let A(x,a) = ^©(a;) © 
®sc[t] ^s{x) ■ as and B{y, b) = B(ii{y) © ®5c[t] ^siv) ' the outputs of Alice and Bob respectively, where the 
subsets S are non-empty. First, in order to simulate the two local terms Ag^{x) and -80(2/), Alice and Bob can use 
two non-local boxes with inputs {Ai},{x), 1) and (1, _B0(y)). For the rest of the proof, all the subsets we consider are 
non-empty. We proceed by proving two claims about the outputs of the protocol. 

Claim 1. For all {x,y, a) and for all T C [t], ^s-.tcs "^six) ■ as\T = ^s-.tcs ^s{y) ■ bs\T- 

Proof. We prove this claim by induction on the size of T. By definition, the protocol satisfies for all (x, y, a), 
f{x,y) ~ A{x,a) © B{y,h). By factorizing the k-th non-local box, we get the following expression for every 

{x,y,a): 

fix,y)^ (^s(x) ■as©Bs(2/) -Meofc ■ ( Asix) ■as\{k})(Sbk-i^ Bs{y) ■ bs\{k})- 

S:k(^S S:keS S:keS 

We can now use Lemma |2] and have that 

As{x) ■ as\{k} = Bs{y) ■ bs\{k}, 

S:keS S:keS 

for all (x, y, a) and for all k g [t]. Hence, the claim is true for any subset T with \T\ = 1. Suppose for the induction 
that it is true for any set of size n £ [t — 1] and consider any T such that |r| ~ n. Let k ^ T, 

Asix)-as\T = Bsiy)-bs\T: 

S:TCS S:TCS 

As{x)as\T®ak{ As{x)as\Tu{k}) = Bs{y)bs\T (B bk{ Bs{y)bs\Tu{k})- 

S:TCS,k^S S:Tu{fc}CS S:TCS,k^S S:Tu{k}CS 

Applying Lemma|2]in the previous equation proves the claim for any T U {k} and hence any set of size n + 1, which 
concludes the proof of Claim [T] □ 

Claim 2. For all (x, y) and for all T C [t\, we have: 

\T\>1 AT{x) = BT{y)^Q, 
\T\ = l AT{x)^BT{y). 

Proof. We prove this claim by downward induction on the size of T, starting with |T| = t, that is, T = [t]. We 
immediately obtain from Claim[T]that (x) — B\t\ (y). As a consequence, these do not depend on x or y, and we 
may define C\t\ = ^[i] {x) = -B[t] {y). Moreover, we can define As{x) — Bs{y) = for any S* 3 [t]. 

Now let n > 2 and suppose that for any set S of size equal or larger to n + 1, we have As{x) = Bs{y) = 0, and 
for any set S of size n, we have As{x) = Bs{y). From Claim[T] we obtain that for all sets T of size n — 1, 

At{x) © Cruik] ■ au = St(j/) © CTu{fc} • 

fc^T k^T 

where we have defined C5 = ^5(2;) = Bg{y) for all S of size n. Since © 6^ = Pk{x) ■ Qkiu), we have 
®fc^T ^Tu{k} • Pk{x) ■ Qkiu) — At{x) © Bxiy), and by linear independence, we conclude that Ctu{/c} = and 
At(x) = BT{y). Using the same argument for any T of size n — 1, we obtain that ^5(2;) — Bs{y) = for all S of 
size n, and At{x) — Bxiy) for all T of size n — 1, which concludes the proof of Claim|2] □ 

This claim implies that the protocol P outputs the parity of two local terms plus the outcomes of the non-local boxes, 
and as a consequence NL^^'®{f) <t + 2. □ 
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3.3 Optimality of our bounds 

We show here that the bounds we proved in the previous section on the parallel and general non-local box complexity 
(Dif) < NL^^if) < 2^(-') and D{f) < NL{f) < iVill(/) respectively) are optimal by giving examples of 
functions that saturate them. The first function we consider is the Inner Product function, IP{x, y) = G)i{xi A yi), 
with x,y e {0, 1}". For this function we have that D{IP) = NL{IP) = NL^^{IP) = n. 

The second function we consider is the Disjointness function, which is equal to DISJ{x,y) ~ Vi{xi A yi), 
with x,y E {0, 1}". It is well-known that for the communication matrix of the Disjointness function we have 
TankGw^iMoisj) = 2" and hence NL\\-®{DISJ) = 2". On the other hand, we have D{DISJ) = n and show that 
NL{DISJ) = 0{n). We describe below a simple protocol for the Disjointness function that follows from lBBL+061 
and was pointed out to us by Troy Lee and FaUc Unger. The Disjointness function also provides an example of an 
exponential separation between deterministic parallel and general non-local box complexity. 

Proposition 1. NL{DISJ) < 0(7i). 

Proof. On input x = xi ■ ■ ■ Xn,y — yi ■ ■ ■ yn, Alice and Bob use n non-local boxes with inputs {xi , yi) and get outputs 
Ui, bi with ai (B bi — Xi ■ yi. Then, they can use 2 non-local boxes in order to compute the OR of two such distributed 
bits since (afc ® 6*;) V {ai ® be) ~ (ofe V ai) © (ofc V be) {bk V ae) (B{bk'Vbe). The terms (a^ V ae) and {bk V be) can 
be locally computed by Alice and Bob respectively and hence they only need to use two non-local boxes with inputs 
(^flfe. -^be) and {^ae, -^bk) to compute the remaining terms. By combining n such distributed OR computations they 
compute Vi(ai © bi) and hence output the value of DISJ{x, y) after using 3n non-local boxes. □ 

4 Randomized non-local box complexity 

In this section, we consider protocols that use shared randomness and have success probability at least 2/3. We start by 
comparing the parallel non-local box complexity to communication complexity. Then we exactly characterize NL^'® 
in terms of the approximate rank (over GF2) of the communication matrix. 

4.1 Upper and lower bounds for NL^ 
Theorems R^'if) < NL^if) < NL^}'®{f) < 2^-'^f\ 

Proof. For the first inequality, Alice sends all her inputs to the non-local boxes to Bob. They use the shared randomness 
to simulate the output of Alice's non-local boxes, which Ahce can use to compute her output, and Bob uses to compute 
his outputs to the non-local boxes, and compute his output. 

For the last inequality, let us fix a randomized communication protocol P for / using t bits of communication. 
We can write P as a distribution over deterministic protocols P^ each using at most t bits of communication, and 
computing some Boolean function f^. By Corollary [T] iVL" < 2*. Taking the same distribution over the 

non-local box protocols for /r, we get NL}^'®{f) < 2* as claimed. □ 

Note that in fact any Nl\'^ protocol can be simulated in the simultaneous messages communication model, so in 
fact (/) < Nhl'^f), for any g. 

The approximate rank over the reals has been shown to be a useful complexity measure for communication com- 
plexity IIBdOlL For non-local box complexity, we now define the notion of approximate rank over GF2. 

Definition 5. Let Vt denote the convex hull of Boolean matrices with rank over (GF2 at most t. Then for a [0, 1]- 
valuet^ matrix A the approximate rank over (GF2 is defined by e— rankcFj (^) = inin{t : 3 A' G Vt with \\ A — 

A' \\oo<e}. 

The next proposition gives an alternative definition of the approximate rank for Boolean matrices. This definition 
enables us to relate the approximate rank to the non-local box complexity. 

'while in tliis section we are only interested in Boolean matrices, we give the definition for the general case of [0, l]-valued matrices as it will 
be useful in the next section. 
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Proposition 2. e— rankGF2 (Mf) is the minimum t, such that there exists a set of Boolean matrices Ai^ . . . , A]^, and 
a probability distribution over [i?] with the following properties: 

• For every r £ [R\, rankcFgC^r) < t, 

• For every {x,y), Probr[My (x, y) — Ar{x,y)] > 1 — e. 

Proof. Suppose that e—Tankc,r^{M f) = t, and let A ^ Vt such that || Mf — A \\oo^ £■ Denote by Ai, . . . ,Ad 
the vertices of Vt- By definition, A — t^i^i^ with l^i — ^ and Vi, pi > 0. For any {x, y), picking Ai{x, y) 
with probability fii has expected value E^{Ai{x,y)) — A{x,y). It follows that Proh^[Mf{x,y) ^ Ai{x,y)] = 
I Mf{x, y) — Efj,{Ai{x, y)) \ < e. Moreover, for any i, rankGF2 (^i) ^ t- This proves that the set Ai, . . . ,Ad and p 
have the desired properties. The proof goes conversely as well. 

□ 

Theorems. For any Boolean function f, NL^'^if) — e— rankcf^ (My) 

Proof. Fix a randomized protocol for / that uses t non-local boxes in parallel and is correct with probability at least 
1 — e. Let r be the string they share in the beginning of the protocol that is drawn according to some probability 
distribution from a set R. Since Alice and Bob output the XOR of the outcomes of the non-local boxes, the final 
outcome of the protocol is independent of the inherent randomness of the non-local boxes, in other words they always 
compute some function 17^(2;, y). Let us the consider the matrices Ar = Mg^. We know that rankGF2 (^r) < t for 
every r. Moreover, the correctness of the protocol implies Prob,. y) = Ar{x, y)] > 1 — e. This proves that 
e-rankcFa (Mf) < t. 

Conversely, suppose that e— rankcFa [Mf] — t. Then fix a set of Boolean matrices ^1 , . . . , Aji such that for every 
r G [i?], rankjjFa (^r ) < t and Probr[Af/(a;, y) = Aj.{x^ 2/)] > 1 — £■ Consider the following protocol for /: Alice 
and Bob pick at random r ^ R and compute the function gr{x, y) = Ar{x, y). As rankjjFa (^r ) < t, computing 
requires at most t non-local boxes in parallel. It is straightforward to check that this protocol is correct with probability 
at least 1 - e. Hence, iVLi''®(/) <t. □ 

In the randomized case, it is easy to get rid of the XOR restriction in general non-local box protocols, since 
the proof for the deterministic case still goes through. On the other hand, for the parallel case, this appears to be a 
surprisingly deep question, which remains open. The main obstacle appears to be related to the inherent randomness 
of the non-local boxes. 

Next, we relate the general non-local box complexity to the following model of communication: Alice and Bob 
send to a referee one message each and the referee outputs 1 if for the majority of indices, the two messages are equal. 
We denote the communication complexity in this model by This is a natural model of communication 

complexity that has appeared repeatedly in the simulation of quantum protocols by classical ones, as well as various 
upper bounds on simultaneous messages | KNR99, .Gro97. ,SZ08. LS08 J . 

Theorem 6. R^{f) < NL,{f) < 0{R^}^''^\f)). 

Proof. For the lower bound, Alice and Bob can use shared randomness to simulate the output of Alice's non-local boxes. 
Alice then computes her inputs to the non-local boxes, and sends them to Bob. From Alice's inputs and outputs to 
the non-local boxes. Bob may compute his inputs and outputs. The players may then compute their outputs to the 
protocol, which have the same probability distribution as the original protocol. 

For the upper bound, fix a t-bit simultaneous protocol for /, where the referee receives two messages a and 
b of size t from Alice and Bob and outputs MAJ{ai © 61, . . . , at © 64). It is well-known, by using an addition 
circuit, that the majority of t bits can be computed by a circuit of size 0{t) with A ND, NOT gates. Moreover, 
the distributed AND of two bits can be computed using two non-local boxes [B BL^06l . We conclude that the 
non-local box complexity of the distributed Majority is 0{t) and hence the theorem follows. □ 

Our theorem implies the following relation between non-local box complexity and factorization norms. 

CoroUary2. 2 log(72" (/)/«) < NL,{f) < 0{{^^{f)f ), where a = 
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Proof. It follows from our theorem and the inequahties 2 log(7f (/)/a) < R^{f) (see llLSOSl ') and R}''^^-' (f) < 
0{{lT{f)f) (also implicitly in llLSOSl '). □ 

It is known that 7j°(/) = ^{ uilc(f) )' ^"-"^ ^Tif) — 72 (/) IILS08L Hence, since discrep- 

ancy gives a lower bound on the quantum communication complexity with entanglement IIKre95ll . we get the 

following corollary. 

CoroUary3. NL,{f) < C'(22Q:(/)). 

Finally, we can relate the non-local box complexity of a function /, to the Li norm of the Fourier coefficients of 
/ by using a result by Grolmusz. Grolmusz showed that for any Boolean function /, there exists a randomized public 
coin protocol that solves / with complexity 0{L\{f )). This protocol can be easily transformed into a simultaneous 
messages protocol where the referee outputs the distributed majority of the message bits. Hence, 

Corollary 4. NL,{f) < 0(i?(/)). 

Let us make here a last remark about the proof of Theorem|6] We started from a Simultaneous Messages protocol 
where the referee outputs a Majority function and we constructed a non-local box protocol with complexity equal to 
the communication complexity. If we look at this protocol, we can see that Alice and Bob can use their non-local boxes 
in the same order This will be useful when we relate non-local boxes to secure function evaluation. 

Corollary 5. R^{f) < NL,{f) < NLf'if) < 0{rF'^'' (f)). 



4.2 Optimality of our bounds and an efficient parallel protocol for Disjointness 

In the deterministic case, we showed that our bounds are tight and also that the parallel and the general non-local box 
complexity can be exponentially different. Is the same true for the randomized case? 

In fact, the Disjointness and Inner Product functions almost saturate our bound in terms of 7|° for the general ran- 
domized non-local box complexity. More precisely, for the Disjointness function, we have that NL^{DISJ) — 9(n) 
(since R^{DISJ) = n{n) and NL{DISJ) < 0{n)) and using discrepancy 0KN97I Exercise 3.32], we have 
{iTiDISJ))'^ = e(n^). On the other hand, for the Inner Product function we have NL^{IP) = 8(n) but 

{iTiiP)? = 0(2")- 

The case of parallel non-local box complexity is more interesting. We can give a simple parallel protocol for the 
Disjointness function of complexity 0{n), hence showing that the exponential separation does not hold anymore. It is 
an open question whether or not parallel and general randomized non-local box complexity are polynomially related. 

Propositions. NL^I^^{DISJ) < 0{n). 

Proof. The idea is to reduce the Disjointness problem to a problem of calculating an Inner Product, which we know 
how to do with n parallel non-local boxes. In order to solve the general Disjointness problem with high probability, 
Alice and Bob proceed as follows: they look at a shared random string ri, . . . , r„ and consider the strings x Ar and 
y A r as inputs. In other words, they pick a random subset of their input bits, by picking each index with probability 
1/2. Then they perform an Inner Product calculation on their new inputs by using n non-local boxes in parallel. Let 
a © & = IP{x A r, y A r). It is easy to see that if DISJ{x, y) = 0, then IP[x A r,y A r) = for all r. On the 
other hand, if DISJ{x, y) = 1, i.e., if the intersection is non-empty, then Prob,.[/P(a; A r, y A r) = 1] = 1/2, since 
for a random subset, the probability that the size of the intersection on this subset is odd is exactly the same as the 
probability that the intersection is even. Hence, we have a one-sided error algorithm for Disjointness that is always 
correct when DISJ{x, y) = and is correct with probability 1/2 when DISJ{x, y) = 1. 

We can get a two-sided error algorithm in the following way: Alice and Bob simulate the protocol above until they 
obtain the outputs a, b. Then, using their shared randomness, they output a ffi 5 with probability 1 — p, and ® 1 or 
1 © with probability p/2. It is easy to see that when DISJ{x, y) — then the success probability is 1 — p and when 
DISJ{x, y) = 1 the success probability is p + (1 — p)/2 = (1 + p)/2. Taking p = 1/3 makes the overall success 
probabihty of our algorithm 2/3. □ 
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5 Non-Iocal boxes and measurement simulation 



The question of the nature of non-local distributions arising from measurements of bipartite quantum states dates back 
to Maudlin IIMau921 . who used communication complexity to quantify non-locality. Perhaps a more natural question 
is how many non-local boxes are required to simulate quantum distributions, since non-local boxes maintain the non- 
signaling property of these distributions. For binary measurements on maximally entangled qubit pairs it is known 
that 1 use of a non-local box suffices |CGMP05|. 

In this section we present another application of our results on non-local boxes. Using the recent breakthrough 
of Regev and Toner IIRT07I . who give a two-bit one-way protocol for simulating two-outcome measurements on 
entangled states for arbitrary dimensions, we show that this can be done with 3 non-local boxes. Previously, no finite 
upper bound was known for this problem. 

Let p be a distribution over measurement outcomes AxB, conditioned on measurements Xxy. For measurements 
on quantum states, the distribution is non-signaling, that is, the marginal distributions do not depend on the other 
player's measurement: 

Va G ^, 6 G Z?, x G A", x' G A", 2/ G 3^, y' G 3^, p{a\x, y) — p{a\x, y') andp{b\x, y) = p{b\x' , y). 

Therefore we write the marginals p{a\x) and p{h\y). In this paper we focus on distributions with uniform marginals 
over A ~ B ~ {0^1}. These distributions are in bijection with [0, 1] -valued matrices. 

Definition 6 (Correlation matrix). Let p be a distribution with uniform marginals over A ~ B = {0, 1}, conditioned 
on measurements X xy. The correlation matrix Cp : A" x 3^ [0, 1] o/p is definedas Cp{x, y) — Pr[a©6 — l\x, y\, 
where a, h are distributed according to p. 

It is not hard to prove that the set of [0, l]-valued matrices is the convex hull of the set of Boolean matrices. This 
implies that the corresponding non-signaling distributions can be written as convex combinations of distributions of 
the following form. For any / : A' x 3^ -t- {0, 1}, we define the associated distribution 



In other words, the correlation matrix Cp^ {x, y) is Boolean and coincides with the communication matrix Mf. Ob- 
serve that any protocol for / simulates the distribution p/, since we may assume without loss of generality that the 
outcomes are uniformly distributed (otherwise, Alice and Bob can flip their outcomes according to a shared random 
bit). 

Just as for functions, we can define the communication and non-local box complexities of a distribution p. When 
error e is allowed, we require that the distribution p' simulated by the protocol be such that \\ Cp — Cp' ||oo< £■ Since 
binary distributions with uniform marginals may be represented as convex combinations of distributions arising from 
functions, we can generalize some results of the previous section to this case: 

Theorem 7. For any distribution p with uniform marginals over ^ = S = {0, 1}, we have 



Proof. For the first inequality, the non-local boxes are simulated by one-way communication the same way as they 
were for functions: the players use shared randomness to simulate Alice's output to the non-local boxes, then Alice 
computes her inputs to the non-local boxes according to those outputs, and sends them to Bob (see proof of Theorem|6] 



Let t = i?£ (p), and consider the corresponding randomized communication protocol. Let the shared randomness 
take value r with probability p^. For any possible value r, the protocol will compute a Boolean function fr such 
\hcitD{fr) < t, and || Cp - Y^rPr^f^ ||oo< e- From Coroflary [J ArLll'®(p) < 2*. Executing the non-local box 
protocol for with probability Pr, we obtain a non-local box protocol simulating p with error at most e, so that 




. 7V4''®(P) -e-rankGF,(Cp). 



for details). 



Af4l'®(p) < 2*. 
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Let t = ranker^ (Cp). By definition, there exist Boolean matrices Ar and a probability distribution such that 
rankGF2(^r) < i and || Cp ^ J^rP^^r ||oo< £■ Let be the Boolean function described by communication matrix 
Ar- Theorem [1] implies that 7VL'I'®(/,.) < t. Executing the non-local box protocol for fr with probability pr, we 

obtain a non-local box protocol simulating p with error at most e, so that NL]}'®{p) < t. The proof goes conversely 
as well. □ 

The upper bound on the non-local box complexity in terms of the communication complexity may be slightly 
improved. While this is an insignificant improvement for most applications involving Boolean functions, this becomes 
relevant when considering low communication complexity distributions, as is the case for some quantum distributions. 

Theorem 8. For any distribution p with uniform marginals over A = B={Q, 1}, we have A^4'(p) < S^^^p^ - 1. 

Proof. We build on an idea presented in BDLR07I to replace communication by non-local boxes. Let t — i?e(p), 
and let us first consider the case of one-way communication protocols. Denote mA{x) the message sent by Alice 
to Bob, A{x) is Alice's output, and _B(m, y) is Bob's output when he receives message m. Suppose without loss of 
generality that one message is exactly the all-zero string 0. We use one non-local box for each message except 0. In 
the non-local box for message m, Alice inputs 1 if mA{x) — m and otherwise. Bob inputs B{m,y) © B{0,y). 
At the end, Alice outputs © A{x) and Bob outputs ® 6^ © B{0,y), where {ai,bi) is the output of the i-th 

non-local box. It is easy to check that the output is always A{x) © B{mA{x), y). 

In the two-way communication case, the proof is more involved. We proceed recursively, at each step removing 
the last bit of communication. We handle the different communication scenarios by doubling the number of protocols 
at each step. Throughout this proof, T^'^' will be a fc-bit transcript, and A ■'^^ (T^^' , x) and _B,p^ (^(fe) ^ will be the 
players' outputs for the 2*'^^ different fc-bit communication protocols indexed by i. The outputs from the different 
protocols may then be used as inputs to non-local boxes, effectively replacing communication by non-local boxes. 
More specifically, suppose we have a deterministic t bit communication protocol that computes /(x, y) in parity: 

f{x,y)^A'i\T('\x)®B^\T('\y). 
We prove by downward induction on fc, from fc = i to fc = 0, that /(.t, y) may be written as 

f{x,y) = 4'=)(rW,x)©i?f (TW,y)©'0'Af (rW,x).i?f)(TW,y), (1) 

i=l 

which shows that f{x, y) can be computed with k bits of communication (to produce the outputs A^^ (yC^) ^ x) and 
^(fe) (fc) ^ y))^ followed by 2^-^-1 non-local boxes in parallel. 
It will then follow by induction that 

2'-l 

= Af\x)®Bf\y)®@Af\x)-Bf\y), 

i=l 

SO f{x, y) can be computed with 2* — 1 non-local boxes in parallel. 

Let us consider the fc-bit protocols with outputs Aj'^'' (r'^'"'\ x) and B'^'^\T^^\y) from Eq. ^ and focus on the 
fc-th bit of the transcript r'^'"'^ Since both players must agree, depending on the transcript so far T^''~^\ whether this 
bit is communicated by Alice to Bob or vice-versa, we may define a Boolean function dk = dk{T'^''~^'>), which gives 
the direction of this bit, say ^(rC^-i)) is 1 if the bit is communicated by Alice to Bob, and otherwise. Let us now 
focus on the bit strings T^'^"^) such that dk{T'^^~'^^) = 1. Since Alice may compute the next bit to be communicated 
from her input and the fc — 1 first bits of the transcript, we may write it as c^^^ = c^^\t'^''~^\x), and her output 
as A'"^'\t^''~^\x). As for Bob's output B'"^'\T^'^\y), we use a construction from IIDLR05I to replace one bit of 
communication by a non-local box: 

)(rW,2/) = Bf\T^''-^\y)®cf'^ ■ [Bf)(r(^-i)0,y) ©sf-^lrC^-i^l.y)]. 
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Therefore, when dfc(r('=-i)) = 1 we may write f{x, y) as 

f{x,y) = Ai'\T^'^-'\x)®Bi'\T^'-'^0,y)®ci'\T('~'\x)-[Bi^^ 

2*-"-! 

© Af\T(^-'\x)-Bf\T^^-^)Q,y) 

4=1 

i=l 

For < i < 2*-^^ — 1, we define the following output functions, 

Af-^\T^k-^\x) = Af\T^^-^\x) 

<2'-(7^''"'^^) = Af^(r(^--^\x).cf) (if^^O), 
when dk{T^^~^^) = 1, and similar expressions, with A and B swapped, when dk{T^^~^^) = 0. Thus, we may write 

f{x,y) ^ At'\Ti'^-'\x)(BBt'\T^'-'\y)(B 4'-'\t('~'\x) ■ Bt'\T^'-'\y)- 

i=l 

□ 

The simpler proof in the case of one-way protocol can be used to derive an explicit protocol using 3 non-local boxes 
to simulate the correlations arising from 2-outcome measurements made on an entangled bipartite state. By Tsirelson's 
theorem MTsi85L the problem of simulating these correlations reduces to the following problem. 

• AUce receives a unit vector x G R" 

• Bob receives a unit vector y G M" 

• Alice outputs A G { — 1, 1} , Bob outputs B G { — 1,1} such that the correlation equals the inner product of the 
two vectors: £^[A_B] = x ■ y. 

Corollary 9. There is a protocol for simulating traceless two-outcome measurements on maximally entangled states, 
using 3 non-local boxes in parallel. 

Proof. We sketch the protocol of Regev and Toner Assume that the inputs to the problem are two unit vectors 

Alice and Bob share a random dimension 3 subspace of M". Let G be the matrix of the projection onto this 
subspace. Alice and Bob start by applying a transformation x' — C{x),y' = C{y) (see IIRT07J for details of this 
transformation C), then project their vectors on the random subspace, x" = Gx' , y" = Gy'. Let sgn : R i-> { — 1,1} 
be the sign function, that is, sgn(x) = 1 if a; > and sgn(a;) = — 1 otherwise. Alice lets ai = sgn(a;") for i = 0, 1, 2 
and lets Ci ~ oq ■ at for i = 1,2. Alice outputs A = and sends (ci, C2) to Bob. Bob outputs B — sgn(2/" • Zci,c2)^ 
where Zc^^c2 = (l,ci,C2). 

In the protocol with 3 non-local boxes, labeled (1, —1), (—1, 1), (—1, —1), Alice inputs 1 into the box labeled 
(ci,C2) if (ci,C2) 7^ (1,1), and into the other boxes. Bob inputs (1 — sgn(y" • Zmi.ma) • (sgn(y" ■ ii,i)))/2 
into the box labeled (7711,7712). Let the outputs of the non-local box labeled 777 be {am,bm)- Then Ahce outputs 
A = ao • (-1)®™ and Bob outputs B = sgn(y'' • zi^i) ■ (-1)®™ 

□ 
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6 Secure Function Evaluation 



6.1 Honest-but-curious model 

In the honest-but-curious model, it is well known that OT and AND are equivalent (up to a factor of 2). 

Claim 3. One AND may be simulated by one OT. One OT may be simulated by two AMDs. These simulations preserve 
security in the honest-but-curious model. 

As a starting point, we consider the most basic model, namely deterministic secure computation with ANDs in 
the honest-but-curious model. Beimel and Malkin |BM04| have shown that AND[f) < 2l'^l. We show that it is 
characterized by the one-way communication complexity of /. 

Theorem 10. AND{f) = 2^"(^). 

Proof. [AND{f) < 2^ (■'^]. Let P be a one-way communication protocol for / using t — D^{f) bits of commu- 
nication, where, on input x, Alice sends a message m{x) e {0, 1}* to Bob and outputs A{x), while, on input y. Bob 
outputs B{y, m{x)). We now a build a secure protocol for / using 2* secure ANDs. We label the AND gates by a 
t-bit string i. Let m = m{x). For the AND gate labeled i, Alice inputs 1 iff m = i, while Bob inputs B{y, i). Let 
fli be the outputs of the AND gates (received by Alice). Note that a^n — B{y, m), and ai = for all i 7^ m. It then 
suffices for Alice to output A{x) © The correctness of the protocol is immediate. The privacy for Alice is trivial 
since Bob does not receive the output of the ANDs, and as a consequence no information from Alice. The privacy for 
Bob follows from the fact that the only possibly non-zero output that Alice receives from the ANDs is = B{y, m), 
which she can deduce from /(a:, y) and her input x. 

[D^{f) < \og{AND{f))]. Let P be a secure protocol for / using t = AND{f) AND gates. Beimel and 
Malkin showed that in the deterministic case, we can assume without loss of generality that there is no communication 
between Alice and Bob. In the protocol P, Alice and Bob input and qi, respectively, in the AND gate labeled i & [t], 
and Alice receives the output — Pi ■ Qi- Since Bob does not receive any information, his inputs to the AND gates 
only depend on his input y, that is, qi — qi{y). We show that the same holds for Alice. 

Let a — (ai , • • • , at) be the vector of outputs from the AND gates. For fixed x, since the protocol is deterministic, 
and Alice should only learn whether f{x, y) is or 1, she should only receive two possible vectors, say aP{x) when 
/(x, y) — {) and a^(a::) otherwise. Note that if there exists some xq E X such that f{xo, y) is constant for all y E y, 
say f{xo,y) — 0, Alice only receives one possible vector aP{xo) when x — xq. In that case, we can fix a^(a;o) 
arbitrarily to any vector different from a°(a;o). Let ni = m{x) be the first index such that a^{x) ^ a]^{x). For any 
i < m{x), a'^{x) — al{x), hence Alice knows in advance what outputs she will receive from the first m{x) — 1 gates. 
Therefore, Alice does not need these outputs (since she may infer them by herself) and we may assume without loss 
of generality that she inputs Pi{x) = in the first m{x) — 1 gates. For the AND gate number m, a"„(a;) 7^ alj^{x), so 
it has to be the case that Pm{x) = 1 (otherwise a„i is always 0). From the output of that gate, Alice already knows 
the value f{x, y) (depending on whether the output is aj^j(a;) or a}-^{x)), so she does not need the outputs of the last 
t — m{x) AND gates, and we can assume without loss of generality that she just inputs Pi {x) — for all i > m{x). 

To summarize, we can always assume that Alice inputs pi{x) = in all AND gates, except for some index 
i = m{x) where she inputs 1. For this AND gate, the output will therefore coincide with Bob's input qm{y)- From 
the definition of a^{x) and a^(x), we then have for this output qm{y) — a^i{x) iff /(a;, y) — 0, that is, in turn, 
f{x, y) — qm{y) © o-mi^)- We are now ready to build a one-way protocol for /. It suffices for Alice to compute the 
index of the relevant AND gate m = m(x) and to send it to Bob. Then, Bob sets his output to B{y, m) = qm{y), 
while Alice sets hers to A{x) = a^(x). □ 

One can say that this shows that for most functions, randomization is necessary in order to construct efficient 
protocols even in the honest-but-curious model. 

6.2 Malicious model 

As we said, the AND primitive cannot be used in the malicious model: indeed, a dishonest Alice may input 1 in all 
ANDs, and she obtains Bob's input for free, which still allows her to compute the AND. Therefore, for a dishonest 
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Alice, each AND is just equivalent to a bit of communication (Bob sends his input to Alice), and this does not allow for 
unconditional secure computation. For this reason, in the malicious model we consider the OT primitive. Moreover, 
it is known that in the malicious model, deterministic secure computation is impossible |DM99|, so we consider the 
case where Alice and Bob may use private coins and the protocol can have e error 

Due to their non-signaling property, protocols using non-local boxes only and no communication, such as those 
presented in the previous sections, are trivially secure even against malicious players. Indeed, the non-signaling 
property implies that the view of the protocol by a possibly dishonest player is always independent from the actions 
of the other player We show that certain such protocols may be transformed into protocols using OTs, namely the 
protocols where Alice and Bob use their non-local boxes in the same order. At this point, we don't know if this type 
of protocols are strictly weaker than general non-local box protocols. Nevertheless, our upper bounds in terms of 
communication complexity hold for such protocols as well (Corollary |5]) and hence they translate into upper bounds 
on OT,{f). 

Theorem 11. For any e > 0, OT,{f) < NL°"^{f). 

Proof. Let us consider a protocol for / using t non-local boxes in order and no communication. Let us denote 
{pi, . . . ,pt) and (ai, . . . ,at) the inputs and outputs of Alice's non-local boxes and (51, ... , qt) and {bi, . . . , bt) the 
inputs and outputs of Bob's non-local boxes. The fact that they use these non-local boxes in order implies that pi (and 
qi) can only depend on the inputs and outputs of the first {i — 1) non-local boxes but not on the remaining ones. Note 
that still Alice and Bob get their outputs immediately when they enter their inputs. 

We now replace each non-local box with an OT starting from the first one, keeping the distribution of the view of 
the protocol exactly the same. Alice and Bob know how to pick the inputs to the first non-local box pi , qi since they 
only depend on their inputs {x, y) and the randomness. To replace this non-local box, Alice picks a random bit ri and 
inputs {ri ,ri pi } to the OT box; Bob inputs qi and hence, his output becomes ri (Bpi ■ qi- Finally, Alice and Bob 
set the outputs of the simulated non-local box to ai — ri and bi — ri ® pi ■ qi. The simulation of the distribution of 
the outputs of the non-local box is perfect, since ai , 5i are unbiased random bits and ai 5i = Pi ■ qi- 

Alice and Bob continue with the simulation of the remaining non-local boxes until the end (Alice using a fresh 
private random bit for each NLB). Note that for each non-local box, Alice and Bob can compute the inputs Pi,qi 
from exactly the correct distribution, since they only depend on the previous (« — 1) non-local boxes which have been 
perfectly simulated. Hence, at the end, we obtain a protocol for / with the same success probability as the original 
one. Note that this construction works only when the non-local boxes are used in order. 

It remains to prove that the new protocol with Oblivious Transfer boxes that we constructed is still secure. Privacy 
for Bob is immediate since he only interacts with Alice through the OTs (there is no additional communication), and 
Ahce obtains no output from the OTs. Privacy for Alice follows from the fact that the only information that Bob 
receives from Alice during the protocol is the outputs of the OTs, and that these output bits are independent from each 
other and from Alice's input (since Alice uses independent private random bits to generate her OT inputs). □ 

From the above theorem we can conclude that all the upper bounds that we had for the NL°^''^ complexity (see 
Corollaries |2]|5]) translate into upper bounds for OTe{f). 

The construction used to replace a NLB by a OT is due to Wolf and WuUschleger IIWW05I . In this reference, this 
construction is used to prove that OT is equivalent to NLB, but note that this is strictly speaking incorrect due to the 
different timing properties of OT and NLB, as pointed out in ||BCU"'"07| . 

We now turn our attention to lower bounds, and for this we need to restrict ourselves to what we call 'optimal' 
secure protocols. An 'optimal' secure protocol is one where the function is computed securely in the usual sense, but 
we also require that for all the OT calls, there is always an input that remains perfectly secure throughout the protocol. 
Intuitively, since we try to minimize the number of OTs that we use, it should be the case that these OT calls are really 
necessary, in the sense that one of the two inputs should always remain secure. If for example both inputs are revealed 
at some point during the protocol, then one may not use this OT at all, resulting into a more efficient protocol. Even 
though intuitively our definition seems natural, at this point, we do not know whether this assumption can be done 
without loss of generality. 

Formally, we define optimal secure protocols as follows. Let us fix some notation. Consider a protocol for the 
secure computation of a function /, using communication and OT boxes. A denotes the messages from Alice to Bob; 
B Bob's messages, S and T Alice and Bob's inputs to the OT boxes and O the outputs of the OT boxes. Note that 
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only Bob receives these outputs. We assume that at every round i of the protocol, Ai is Alice's message, Bi is Bob's 
message and Si — {Sf, Si), Ti, Oi are the inputs and the output of the i-th OT box. (In some rounds we may not have 
communication, or the communication can proceed in several rounds; these cases can be handled in the same way as 
in the proof below.) A^^ , B^^ , S[^ , T[j] , 0[j] is the concatenation of the first i messages of Alice, messages of Bob, 
inputs and outputs of the i-th first OT boxes respectively. 

Definition 6. OT^ (/) is the number of 2-1 Oblivious Transfer calls required to compute f{x,y) in parity with perfect 
privacy and e error over the players' private coins, assisted with (free) two-way communication, in the malicious 
model, subject to the additional conditions that for each i, 

Prob[v4i|A[j_i],S[.,_i],S'[^],2:,r] = Prob[Ai|A[i_i], r], 
Prob[Bi|74[i],B[j_i],r[j],0[,],y,r] = Prob[Bj|A[j] , , r], 

where r is the shared random string used in the protocol. 

Let us see exactly what our definition says and how it is related to our intuitive definition of 'optimal' protocols. 
Let us consider the first condition (a similar discussion holds for the second condition, by swapping Alice and Bob's 
roles). We claim that the distribution of Ai conditioned on {A[i_^, B[i_ij,r) should be independent of {S[i],x). 
Imagine that it is not the case. Then there exist two different strings {S[i\ , x) and (S'^ij , x)', such that the distribution of 
Ai conditioned on (v4jj_i] , -B[i-i] , r) is different depending on whether Alice's inputs are {S[i] , x) or {S[i] , x)'. This 
is a contradiction to some strong notion of privacy. Bob, knowing , ^[i-i] , and receiving Ai, will get some 

information about whether Alice's inputs are {S[i] , x) or (S^i^ , a;)'. This means that first, if these two strings differ in x, 
then Bob learns information about the input, which cannot happen; and second, if they differ in one of Alice's inputs 
to some OT box, then the malicious Bob could get information about both Alice's inputs. A malicious Bob can do this 
by for example picking an OT call at random and input a random bit into the OT box. With non-zero probability, this 
would be exactly the box for which he can get information about one input bit and with half probability this bit will be 
different than the one he learned from the OT box. Hence, we believe that our definition captures exactly the notion 
of an 'optimal' protocol where the inputs x,y as well as the inputs to the OT boxes must remain secure throughout the 
protocol. 

Tlieorem 12. For any Boolean function f, OT^{f) = ^{R^{f)) 

Proof. We want to show that even in the randomized case, communication doesn't help a lot. In other words, we want 
to show that 0{t) bits of communication are sufficient, where t is the number of OT boxes the players use. Recall that 
we assume that the protocol is optimal in the following sense: privacy is preserved if both the inputs of the players 
and one of the inputs to the Oblivious Transfer boxes remain secure throughout the protocol. We start with a perfectly 
secure protocol that uses t OT boxes where Bob receives the outputs, and arbitrary two-way communication between 
Alice and Bob. We show how to obtain a protocol using 0{t) bits of communication (and no OT boxes) by proceeding 
in four steps. 

1 . First, we show that the optimality conditions imply that we can entirely suppress the communication from Alice 
to Bob. We defer the proof of this part to the end of the proof. After this first step, we have a perfectly secure 
protocol using t OT boxes where Bob receives the outputs, no communication from Alice to Bob and arbitrary 
communication from Bob to Alice. 

2. The second step is to invert the t OT boxes, meaning that we simulate each OT box where Bob receives the 
output by an OT box where Alice receives the output. It is well-known that this is possible if we add one bit of 
communication from Alice to Bob for each OT box i WW06I . Therefore, this step requires to reintroduce t bits 
of communication from Alice to Bob. Note that the simulation is such that the new protocol is still optimal, that 
is, it still satisfies the conditions of Definition|6] where Alice and Bob's roles are swapped. Hence, we now have 
a perfectly secure protocol using t OT boxes where Alice receives the outputs, t bits of communication from 
AUce to Bob and arbitrary communication from Bob to Alice. 

3. The third step is to suppress the communication from Bob to Alice. For this step, we just need to reuse the 
analysis of step one. Notice that the situation is similar to step one, since now Alice gets the outputs of the OT 



18 



boxes. After this, we end up with a perfectly secure protocol using t OT boxes where Alice receives the outputs, 
t bits of communication from Alice to Bob, and no communication from Bob to Alice. 



4. Finally, Alice and Bob can simulate these t OT boxes by communicating 2t bits and hence we end up with a 
communication protocol of complexity 3t. This concludes the proof of the theorem. 

We now show how to perform the first step of the proof. The goal is to have Alice and Bob use their shared 
randomness in order to pick Alice's messages without her sending any bit. On the other hand. Bob is going to send 
the same messages to Alice as before and they will also use the same OT boxes. Bob can fix his private randomness in 
the beginning of the protocol. Alice is going to start with a uniform distribution on her private randomness and during 
the protocol she will update this distribution in order to remain consistent with the protocol up to that point. 

We now describe the original protocol in more detail: 

• AUce and Bob pick their private randomness and rs uniformly at random. 

• For every round i of the protocol 

- Alice and Bob use an OT box with inputs 5*^ and Ti respectively and Bob receives output Oj. Alice's input 
to the i-th OT box is a fixed function of (^[i-i] , ^[i-i] , 'S'[i-i] , x, r, r^) and Bob's input is a fixed function 

of , , T[,_i] , 0[,_i] , y, r, r^). 

- Alice computes her message Ai as a function of (v4[j_i] , , , x, r, ta) and sends it to Bob. 

- Bob computes his message Bi as a function of {A[i] , B[i_^ , Tjj] , , y, r, rg) and sends it to Alice. 

We look at the distribution induced by this protocol Prob[r^, rB,A, B, S, T, 0\x, y, r] and have 

Prob[r^, rs, A, B, S, T, 0\x, y, r] 

,Bu^i\,Su^i\,x,r, ta] 

je[t] 

•Prob[v4i I , , S[i\ , X, r, ta] ■ Prob[Si | Af^j , , T[,] , 0[i] , y, r, tb] ■ 

We now give a new protocol where Alice and Bob use their shared randomness to simulate Alice's messages. The 
distribution remains exactly the same as in the original protocol. In order for this to hold, Alice needs to "update" her 
private randomness to retain consistency. Here is the new protocol: 

• Alice and Bob pick their private randomness and vb uniformly at random. 

• For every round i of the protocol 

- Alice and Bob use an OT box with inputs Si, Ti respectively and Bob receives output Oi. 

Alice picks her input Si according to Prob[S'i|yl[j_i], -B[i--i] , S[i_i],x, r]. Bob's input is the same func- 
tions of , -B[j_i] , T[j_i] , 0[i-i] , y, r, Tb) as in the original protocol. 

- Alice and Bob simulate Alice's message by sampling from the distribution Prob[Ai , , t], i.e. 
they pick a next message from all messages that are consistent in the original protocol with the shared 
randomness r and the transcript so far, averaged over the private randomness ta for Alice. The key point 
is that due to the optimality condition in Definition|6l Bob also knows the distribution of Alice's message 
Ai when averaged over ta, since it does not depend on (S'[i] , x). 

- Bob computes his message Bi as the same function of (A[i] , -B[i-i] , T\^i\ , 0[i\ , y, r, tb) as in the original 
protocol and sends it to Alice. 

- Alice "updates" her private randomness by picking ta according to Prob[rA | A[i] , , >S'[j] , x, r] . 



19 



We need to show that the distribution corresponding to the above protocol is exactly the same as in the original 
protocol and also that this a well-defined procedure. We have for the new protocol: 



Pioh[rA,rB, A, B, S, T, 0\x, y, r] = Pmh[rA] ■ Prob[rB] 

_i] , -B[j_i] , ,x,r]- Prob[Tj| , -B[j_i] , Tfj.i], 0[j_i] , y, r, tb] ■ Prob[Oi|5i, T,] 

ie[t] 

' J ' ' ij I J Lj Lj Prob[rA|^[i-i],B[i-i],S^[i-i],a;,r] 

Note that as it should be the distribution of va after the ^-th round is exactly 

r> ur 1 TT PT^oHrA\A[^,B[i],S[i],x,r] r. ur i /i n c i 

We now show that the distributions which correspond to the two protocols are the same. It is easy to see that we 
need to prove the following fact 

Proh[Si\A[i_i],B[i_i],S[i_i],x, r, r^] ■ Prob[^i|^[i_i], a;, r, r^] = 

Prob[5.|A[._,],i3[,_,],^[,_,],x,r] .Prob[^,|^[,_,],i?[._,],r] • p,,b[r^|^t,_,„ E,J,„ x, r] 

We have 



Prob[S'i \A^i-i] , , S[i_-i] , X, r, r^] • Prob[Ai | , B[i_i] ,S[i], x, r, r^] 

,,a A , A n a 1 P^oh[Si, A„ rA\A[,_i], B[,_^, S[i_i], X, r] 

= Pvoh[Si,Ai\A[i_i],B[i_^,S[i_i],x,r,rA] = ^ , r , . ^—^ — S 

' ^ ' ^ ' ^ ' Prob[rA|A[«_i],S[,_i],5[,_i],x,r] 

I i I ' ^ ' PToh[rA\A[i_^,B[i_i],S[i_i],x,r] 

For the last equation we used first that Prob[rA , B^i-i] i , a;, r] = Prob[rA | , B^q , S[{\ , x, r] since Bi 
is independent of va (for fixed and more importantly that we have Pvoh[Ai\A[i_i-^,B[i_^,S^i^,x,r] = 

Prob[Ai|^[i_i], B[i_i],r]. The last equality comes from the privacy of the protocol and the fact that it is optimal. 

Now, let us make sure that all these probabilities are non-zero. This follows from the privacy of the protocol. Let's 
say that after the (i-l)-th round Alice has been able to update her private randomness to a consistent ta- In the next 
round, Alice picks input Si for the OT box from the distribution of all inputs Si that are consistent for some va and 
AUce and Bob pick a message Ai as Ahce's next message. The distribution from which AUce and Bob picked Ai 
is from all messages for which for shared randomness r, there exists an input x and inputs 5[j] such that there exists 
a string ta so that Ai is consistent with (x, r, r^, ^[i-i], S'[i]). From privacy, if there exists an x and inputs S^^^ for 
which the transcript A^i] is consistent for some va, then it has to be consistent for all inputs x and all inputs S[i] and 
for some other r^. Otherwise, Bob will gain information about x or S[iy Hence, there will always be a choice of 
which is consistent with the protocol. This finishes the first step, and consequently, the whole proof. □ 



7 Conclusion and open questions 

We have shown various upper and lower bounds on non-local box complexity, and shown how the upper bounds could 
be translated into bounds for secure function evaluation. We have also shown how to simulate quantum correlations 
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arising from binary measurements on bipartite entangled states using 3 non-local boxes. Note that combining these 
last two results also implies that such quantum correlations may also be simulated using 3 OT boxes. The advantage is 
that, while non-local boxes may not be actually realized (due to their violation of Tsirelson's bound), OT boxes may 
be implemented under computational assumptions. Note that such a simulation with OT boxes breaks the timing prop- 
erties of the EPR experiment, but this is unavoidable when simulating quantum correlations using classical resources, 
due to the violation of Bell inequalities. Moreover, contrary to a simulation with communication such as in [RTOTJ, 
using OT boxes preserves the cryptographic properties of the experiment, that is, Alice does not learn anything about 
Bob's measurement (and vice versa). 

During our investigations, we have come across a series of interesting open questions. 

• For randomized non-local box complexity in parallel, can we remove the XOR restriction, that is, is the case 
thatNL£{f) w NL^e'^if) = £— rank^Fa The proof for the deterministic does not carry over because of 
the inherent randomness of the non-local boxes, which could be used to save on the number of non-local boxes 
when some error probability is authorized. 

• While the Disjointness function provides an example of exponential gap between parallel and general determin- 
istic non-local box complexity, the gap disappears in the randomized model. Is it always the case that parallel 
and general randomized non-local box complexities are polynomially related? 

• In general, non-local boxes could be used in a different order on Alice and Bob's side. Does this provide any 
advantage, that is, are there functions for which NL^lf) < NL°'^'^{f)'? 

• As for secure function evaluation, we proved that the communication complexity is a lower bound on OT com- 
plexity only under some optimality assumption. Can this assumption be made without loss of generality? 

• Finally, another interesting question is whether we can prove an analogue of Theorem [12] for non-local boxes. 
Ideally, we would like to prove that for secure computation with ordered non-local boxes, communication does 
not help. Indeed, due to the reduction from ordered non-local box protocols to OT protocols and vice versa, this 
would imply that NL°'^'^{f) is exactly OTi.[f), and not just an upper bound. This would of course provide even 
more motivation to study non-local box complexity in the context of secure function evaluation. Note that work- 
ing with non-local boxes instead of OT boxes provides a few advantages. First, protocols using non-local boxes 
(and no communication) are necessarily secure, even in the malicious model. Second, contrary to OT proto- 
cols, such non-local box protocols do not require private randomness (except the inherent randomness of the 
non-local boxes) to ensure security in this model. 
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